[Mailman-Users] Automated Subscription Bots Inundating ListOwners With Subscription Requests

Ivan Fetch ifetch at du.edu
Sun Dec 9 17:14:59 CET 2012


On Nov 24, 2012, at 4:11 PM, Mark Sapiro <mark at msapiro.net> wrote:

> Mark Sapiro wrote at
> <http://mail.python.org/pipermail/mailman-users/2012-November/074415.html>:
> 
>> I have implemented a simple version of what I think you requested in
>> your post at
>> <http://mail.python.org/pipermail/mailman-users/2012-October/074287.html>.
>> 
>> It is implemented by the attached patch against Mailman 2.1.15.
> 
> 
> I have augmented that patch with a timestamp and it now also checks that
> the hash is no older than mm_cfg.FORM_LIFETIME. See
> <https://launchpad.net/bugs/1082746> and
> <http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1371>
> for a bug report and the patch which will be released with Mailman 2.1.16.



I would like to apply this same patch to a 2.1.14 installation.

I downloaded the three modified files from this patch, and diffed them against 2.1.14 files. It looks like this patch will mostly apply to 2.1.14, but I'm not sure about the differences relating to comparing passwords, and the use of "strip." See 128,129c146,147 in the patch below for the what I am asking about.


Here is my diff:


1c1
< # Copyright (C) 1998-2009 by the Free Software Foundation, Inc.
---
> # Copyright (C) 1998-2012 by the Free Software Foundation, Inc.
22a23
> import time
112c113
<     email = cgidata.getvalue('email', '')
---
>     email = cgidata.getvalue('email', '').strip()
122a124,140
>     # Are we checking the hidden data?
>     if mm_cfg.SUBSCRIBE_FORM_SECRET:
>         now = int(time.time())
>         try:
>             ftime, fhash = cgidata.getvalue('sub_form_token', '').split(':')
>             then = int(ftime)
>         except ValueError:
>             ftime = fhash = ''
>             then = now
>         token = Utils.sha_new(mm_cfg.SUBSCRIBE_FORM_SECRET +
>                               ftime +
>                               mlist.internal_name() +
>                               remote).hexdigest()
>         if now - then > mm_cfg.FORM_LIFETIME:
>             results.append(_('The form is too old.  Please GET it again.'))
>         if token != fhash:
>             results.append(_('You must GET the form before submitting it.'))
128,129c146,147
<     password = cgidata.getvalue('pw')
<     confirmed = cgidata.getvalue('pw-conf')
---
>     password = cgidata.getvalue('pw', '').strip()
>     confirmed = cgidata.getvalue('pw-conf', '').strip()
131c149
<     if password is None and confirmed is None:
---
>     if not password and not confirmed:
133c151
<     elif password is None or confirmed is None:
---
>     elif not password or not confirmed:



More information about the Mailman-Users mailing list